I had been asked recently: Johannes, how can we log data about NetScaler Application Firewall policy hits in detail?

The standard NetScaler Web Application Firewall log-files

NetScaler’s Web Application Firewall logs to /var/log/ns.log. These logs are fine for trouble shooting. There is a good description about these logs here. This is a sample log, stolen from a Citrix blog about NetScaler Web Application Firewall (WAF) logging:

This log is showing a blocked cross-site script (XSS) attack. It’s a reply to a form using http GET method.

A custom error page?

Yes, this is something we could definitely do: Create a custom error page, displaying details about the reason for the attack to be blocked. It’s obvious: We don’t want to display informations like this to an attacker, so we will never use a page like this in production. However it would be a nice-to-have in a test environment. So I created a file, following CTX140293. This file can be imported easily into a WAF-Profile and will display information about transaction ID, session ID, Violation category, the log entry displayed in the event log and the corresponding session cookie. Feel free to download this file following this link.

I could think of using a page displaying the transaction ID only. So a person blocked by mistake could specify this ID to the help-desk and it would be easy for the help-desk to find this log entry in your Syslog server.

Unfortunately all this is not detailed enough during test and pre-prod / implementation phase. There is so much data missing: Cookies beyond session cookies, http PUT or POST data, headers and many more. So we have to do network traces. But traces are time consuming to read. So what to do?

I have written an other blog about logging responder and rewrite policies. Similar to responder and rewriting policies we may log app-fw policy hits. So turn on “User Configurable Log Messages” in “Change Auditing Syslog Settings”

Useful logging policies for NetScaler Web Application Firewall:

Well, don’t do this during production phase, it might lead to duplicated log entries and might print sensitive data like usernames and passwords into your logs (which is not desired). I suggest using this policies in test and pre-prod/staging environments only!

I use warning as a servity as NetScalers Web Application Firewall’s messages (different to other messages) usually use warning as a servity.

I guess, the limit on your external syslog server is due to restrictions there. I would have to do a network trace to see. I didn’t know about messages getting truncated, but if they have I have no idea how to overcome this (and currently no time to find out). I’m sorry :'(